Data Protection Policy
General statement of Hepple Property Care’s Duties and Scope.
Hepple Property Care is required to process relevant personal data regarding employee, customer,
suppliers and sub-contractors as part of its operations and shall take all reasonable steps to do so in
accordance with the law and this policy. This policy sets out our commitment to protecting personal
data and how we will ensure that employees understand how to handle data they have access to as
part of their work.
Data Protection Controller
Hepple Property Care has appointed the office manager, Trudy Shaw, as the Data Protection
Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with
this Policy, The Principles of the Data Protection Act and the General Data Protection Regulation
Data Protection Principles
Hepple Property Care will comply with the Data Protections Act and the General Data Protection
Regulation principles and ensure that personal data is:-
Processed fairly and lawfully and in a transparent manner;
Obtained for one or more specified, explicit and lawful purposes;
Adequate, relevant and only limited to what is required;
Accurate and where necessary kept up to date;
Not kept in a form which permits identification of data subjects for longer than is necessary;
Processed in accordance with the rights of the data subjects;
Processed in a manner that ensures appropriate security of the personal data.
Personal information means any data or information in paper or digital format, relating to a living
individual. Personal data covers both facts and opinions about an individual where that data
identifies an individual. For example, it includes information necessary for employment such as a
member of staff’s name and address. Personal data may also include sensitive personal data as
defined in the Act & Regulation.
Sensitive Personal Data
Hepple Property Care may, from time to time, be required to process sensitive personal data.
Sensitive personal data includes data relating to medical information, gender, religion, race, trade
union membership and criminal records and proceedings. Any information which falls under the definition of personal data will remain confidential and will only be used for the purpose for which is it held.
Rights of Access to Information
Data subjects have the right of access to information held by Hepple Property Care, subject to the
provisions in the Data Protection Act 1998 and the Freedom of Information Act 2000. Any data
subject wishing to access their personal data should put their request in writing to Hepple Property
Care. We will endeavour to respond to any such written requests as soon as is reasonably
practicable and in any event, within 40 days for access to records and 21 days to provide a reply to
an access to information request.
Certain data is exempted from the Provisions of the Data Protection Act and the General Data
Protection Regulation, which includes the following:-
National security and the prevention or detection of crime;
The assessment of any tax or duty;
Where the processing is necessary to exercise a right or obligation conferred or imposed by
the law upon Hepple Property Care.
Hepple Property Care will endeavour to ensure that all personal data held in relation to all data
subjects is accurate. Data subjects must notify the data processor of any changes to information held
Hepple Property Care will take appropriate technical and organisational steps to ensure the security
of personal data. All digital data is password locked and all written data is stored securely.
Data Protection training is important so that all employees understand their responsibilities. All
employees are required to respect personal data and privacy of others and must ensure appropriate
protection and security measures are taken against unlawful or unauthorised processing of personal
data, and against the accidental loss of, or damage to all personal data.
Serious breaches of the policy caused by deliberate, negligent or reckless behaviour could result in
disciplinary action and may even lead to criminal prosecution.
Where those breaching the policy are not employees of Hepple Property Care, this will be regarded
as a breach of contract and may lead to termination of their contract.
Retention of data and secure destruction
Hepple Property Care may retain data for differing periods of time for different purposes as required
by statute, law or best practices.
When data held in accordance with this policy is destroyed, it will be destroyed securely in
accordance with best practice at the time of destruction by an external contractor. A certificate of
destruction will be retained as proof.
Hepple Property Care owns and operates a CCTV network for the purpose of crime prevention and detections. Where a data subject can be identified, images must be processed as personal data.
What personal information does Hepple Property Care store and why?
To explain how Hepple Property Care has prepared for the GDPR, it’s helpful to understand the key
groups of people we hold personal information about:
1. Potential customers who have explicitly contacted us requesting our services.
These people may have contacted us by email or telephone to request a property survey or
a quote on a property.
2. Current paying customers of Hepple Property Care and tenants.
We keep information about paying customers like name, physical address, phone number,
email address because they are required for several critical aspects of our service.
3. Past customers of Hepple Property Care
If we have carried out work on a customer’s property or issued a long term guarantee, this
will be stored in paper form in a locked cabinet at our premises and stored digitally using
password protection. After a period of time the customers record will be deleted where no
longer required for business purposes or where quotes have expired or reports are no longer
4. Sub Contractor’s Details
Necessary for our business and taxation purposes.
5. Employee personal data
Includes pay details, next of kin, name, address, NI number and sensitive medical data.
As per the GDPR’s right to be deleted if any of these groups of people request Hepple Property Care
to delete all instances of their personal information, we would follow through without delay.
Date of release: 22nd May 2018